powershell - 基于通配符检查组的成员资格(Powershell)
问题描述
我正在编写一个 PowerShell 脚本来批量修改用户,但我遇到了一个包含特定部分的墙。
目前我的组织中有一系列以“RIS_”开头的组 - 经常添加和删除新组,因此我的想法是创建一个脚本,可以检查 .csv(参考 = $Username)中列出的每个用户以查看如果它们属于以“RIS_”开头的组。
例如,基本组是“RIS_ReadOnly”,它授予对我们组织内使用的应用程序的基本访问权限。其他组代表具有不同权限的各种访问级别,但作为多个组的成员将始终强制最低权限。这是我无法控制的事情,所以我无法推动改变工作方式。
脚本本身从 .csv 文件中提取 - 整个部分已排序并正常工作。
用户一次只能是这些组之一的成员,我们通常的过程包括将它们添加到基本的 ReadOnly 组。但是,这并没有考虑到正在返回工作岗位的现有用户,这些用户可能具有提升的访问权限,因此在添加到 ReadOnly 组时将失去访问权限。由于来来往往的员工数量,我们无法实际检查每个帐户的现有会员资格,因此脚本。
此命令需要检查用户是否是以“RIS_”开头的组的成员。如果用户不在组中,则将其添加到 .csv 中指定的组(参考 = $RIS)。如果用户在一个组中,那么它将编写一条消息并继续代码的下一个阶段,而不将它们添加到任何内容中。
我在网上找到的所有内容都指向首先获取组本身并列出成员,但这不起作用,因为组的数量会随着时间的推移而变化,并且每个组中都有大量的用户。有没有办法用“IF”语句来设置它?我已经尝试了多种方法,但是脚本要么根本不添加任何东西,要么无论如何都添加了组。
这是我目前所拥有的,但显然它不起作用。有小费吗?
If ( ($User.MemberOf -like "RIS_" ) )
{
write-verbose "User is already a member of a RIS group"
else
Add-ADGroupMember -Identity "$RIS" -Members $Username
}
以下是完整的脚本(请原谅新手的混乱)
CLS
# Import active directory module for running AD cmdlets
Import-Module activedirectory
#Store the data from ADAmend.csv in the $ADUsers variable
$ADUsers = Import-csv "\\nuth-it01\workstore\Service Desk\Account Admin Scripts\02 - Amend\01 User - Generic\ADAmend.csv"
#Loop through each row containing user details in the CSV file
foreach ($User in $ADUsers)
{
#Read user data from each field in each row and assign the data to a variable as below
$Username = $User.username
$Password = $User.password
$Firstname = $User.firstname
$Lastname = $User.lastname
$employeeID = $User.EmployeeID
$email = $User.email
$jobtitle = $User.jobtitle
$department = $User.department
$DOB = $User.DOB
$INC = $User.INC # INC Identifier - can contain additonal text if account was reactivated/amended
$GMSN = $User.GMSN # Identifier for GMC and Student Number
$HomeDrive = $User.Homedrive # Identifier for Home Drive Group
$AUF = $User.AUF # Identifier for AUD Form completion (Y/N - default "N")
$AddGrp1 = $User.AddGrp1 # Catchall for additional groups if requested (Can be left blank)
$AddGrp2 = $User.AddGrp2 # Catchall for additional groups if requested (Can be left blank)
$AddGrp3 = $User.AddGrp3 # Catchall for additional groups if requested (Can be left blank)
$eRescue = $User.Erescue # eRescue-AHCare / eRescue-RegNurse / eRescue-SenMedic / eRescue-Medic
$RIS = $User.RIS # RIS_ReadOnly / RIS_Radiologists / RIS_Radiographers / RIS_Secretaries / RIS_Nurse
$PACS = $User.PACS # PACS_Clinicians / PACS_Radiologists / PACS_Radiographers / PACS_Secretaries
# Following code adds user to "Xenapp Erecord Downtime" group and enables account. This may return errors if the user is already a member or the account isn't disabled but they can be ignored
Add-ADGroupMember -Identity "Xenapp Erecord Downtime" -Members $Username
Remove-ADGroupMember -Identity "Disabled_Users" -Members $Username -Confirm:$False
Enable-ADAccount -Identity $Username
Clear-ADAccountExpiration -Identity $Username
# Adds the INC into the telephone notes - if this field is blank (it shouldn't be) then nothing will be changed.
$i = Get-ADUser $Username -Properties info | %{ $_.info}
Set-ADUser $Username -Replace @{info="$($i) `r`n $INC"}
# This next set of code identifies if a cell is left blank in the input sheet, and ignores it if this is the case (prevents wiping pre-existing fields)
# NOTE: If input sheet is modified, this code will need to be modified too
If(-not [string]::IsNullOrWhiteSpace($User.DOB) )
{
Set-ADUser -Identity $Username -Replace @{extensionAttribute10="$DOB"} # Add DOB
}
If(-not [string]::IsNullOrWhiteSpace($User.password) )
{
Set-ADAccountPassword -Identity $Username -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$Password" -Force) # changes password to specified string - if left blank will not change password
Set-ADUser -Identity $Username -ChangePasswordAtLogon $True # Forces password change at logon - if password field is left blank this will be ignored
}
If(-not [string]::IsNullOrWhiteSpace($User.firstname) )
{
Set-ADUser -Identity $Username -GivenName $Firstname
}
If(-not [string]::IsNullOrWhiteSpace($User.lastname) )
{
Set-ADUser -Identity $Username -Surname $Lastname
}
If(-not [string]::IsNullOrWhiteSpace($User.EmployeeID) )
{
Set-ADUser -Identity $Username -EmployeeID $EmployeeID
}
If(-not [string]::IsNullOrWhiteSpace($User.Jobtitle) )
{
Set-ADUser -Identity $Username -Description $jobtitle
}
If(-not [string]::IsNullOrWhiteSpace($User.Department) )
{
Set-ADUser -Identity $Username -Office $department
}
If(-not [string]::IsNullOrWhiteSpace($User.GMSN) )
{
Set-ADUser -Identity $Username -Replace @{extensionAttribute14="$GMSN"} # Add GMC or Student Number
}
If(-not [string]::IsNullOrWhiteSpace($User.AUF) )
{
Set-ADUser -Identity $Username -Replace @{extensionAttribute1="$AUF"} # Has AUF form been signed?
}
If(-not [string]::IsNullOrWhiteSpace($User.Email) )
{
Set-ADUser -Identity $Username -EmailAddress $email
}
If(-not [string]::IsNullOrWhiteSpace($User.HomeDrive) )
{
Add-ADGroupMember -Identity "$HomeDrive" -Members $Username # Adds user to homedrive
}
If(-not [string]::IsNullOrWhiteSpace($User.AddGrp1) )
{
Add-ADGroupMember -Identity "$AddGrp1" -Members $Username
}
If(-not [string]::IsNullOrWhiteSpace($User.AddGrp2) )
{
Add-ADGroupMember -Identity "$AddGrp2" -Members $Username
}
If(-not [string]::IsNullOrWhiteSpace($User.AddGrp3) )
{
Add-ADGroupMember -Identity "$AddGrp3" -Members $Username
}
If(-not [string]::IsNullOrWhiteSpace($User.eRescue) )
{
Add-ADGroupMember -Identity "$eRescue" -Members $Username
}
If ( ($User.MemberOf -like "RIS_*" ) )
{
write-verbose "User is already a member of a RIS group"
else
Add-ADGroupMember -Identity "$RIS" -Members $Username
}
If(-not [string]::IsNullOrWhiteSpace($User.PACS) )
{
Add-ADGroupMember -Identity "$PACS" -Members $Username
}
Write-Warning "$Username Amended"
}
我还附上了下面输入 csv 的屏幕截图:
解决方案
如果您想检查用户是否已经是该组的成员,您可以尝试直接在 Active Directory 中检查用户,如下所示:
if ((Get-ADUser $Username -Properties *).memberof | Where-Object {$_ -like 'CN=RIS_*'})
{
write-verbose "User is already a member of a RIS group"
}
else
{
Add-ADGroupMember -Identity $RIS -Members $Username
}
推荐阅读
- python-3.x - 为什么我不能导入 Flask?
- mysql - 如何在 mysql 中创建第二个表?1050 错误
- css - 如何在 Contao CMS 中编辑“精细上传器”小部件的 CSS?
- javascript - 是否可以克隆或复制thead并以相同宽度的jquery结束
- php - “--no-scripts”选项是否足以解决以 root 身份运行 composer 的安全问题?
- python - 如何使 Windows 资源管理器窗口出现在 kivy 应用程序中?
- json - 如何使用 JSON-LD 帧过滤 JSON-LD 对象数组?
- php - 如何在 preg_match php 中的同一正则表达式中查找任何关键字
- javascript - 如何在html中更改位置
- java - Java Zip 文件导出选项